b'EVALUATION REPORT\n\n             REDACTED VERSION\n\n         Information System Security\n      Evaluation of the Technical Training\n          Center \xe2\x80\x93 Chattanooga, TN\n\n           OIG-09-A-11 July 22, 2009\n\n\n\n\nAll publicly available OIG reports are accessible through\n                    NRC\xe2\x80\x99s Web site at:\nhttp:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                        Office of the Inspector General\n                 Information System Security Evaluation of the\n                  Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\n\n\n                                Contract Number: GS-00F-0001N\n                                 Delivery Order Number: 20291\n\n                                                        July 21, 2009\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c                                                                            Information System Security Evaluation of\n                                                                      the Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n           The Nuclear Regulatory Commission\xe2\x80\x99s (NRC) Technical Training Center (TTC) was\n           established in Chattanooga in 1980 as part of an expanded program of training based\n           primarily on lessons learned from the Three Mile Island incident. Chattanooga was\n           originally selected as the site for enhanced inspector training because of the need to make\n           greater use in the agency\xe2\x80\x99s technical training programs of reactor simulators owned by\n           the Tennessee Valley Authority. Since 1980, the NRC has purchased its own simulators\n           and currently has four operating at the Chattanooga site.\n\n           On December 17, 2002, the President signed the E-Government Act of 2002, which\n           included the Federal Information Security Management Act (FISMA) of 2002. FISMA\n           outlines the information security management requirements for agencies, which include\n           an annual independent evaluation of an agency\xe2\x80\x99s information security program1 and\n           practices to determine their effectiveness. This evaluation must include testing the\n           effectiveness of information security policies, procedures, and practices for a\n           representative subset of the agency\xe2\x80\x99s information systems. FISMA also requires\n           assessment of compliance with FISMA requirements and related information security\n           policies, procedures, standards, and guidelines. FISMA requires the annual evaluation to\n           be performed by the agency\xe2\x80\x99s Inspector General or by an independent external auditor.\n\n           The NRC Office of the Inspector General (OIG) requested that the four NRC regional\n           offices and the TTC be included in the independent evaluation of the agency\xe2\x80\x99s\n           implementation of FISMA for fiscal year 2009. Information security policies,\n           procedures, and practices at the regional offices and the TTC were last assessed in 2003\n           and 2006. This report describes evaluation findings for the TTC.\n\nPURPOSE\n\n           The objectives of the information system security evaluation of the TTC were to:\n\n               \xef\x82\xb7   Evaluate the adequacy of NRC\xe2\x80\x99s information security program and practices for\n                   NRC automated information systems as implemented at the TTC.\n               \xef\x82\xb7   Evaluate the effectiveness of agency information security control techniques as\n                   implemented at the TTC.\n               \xef\x82\xb7   Evaluate corrective actions planned and taken as a result of previous OIG\n                   evaluations.\n\n\n\n\n1\n    For the purposes of FISMA, the agency uses the term \xe2\x80\x9cinformation system security program.\xe2\x80\x9d\n\x0c                                                             Information System Security Evaluation of\n                                                       the Technical Training Center \xe2\x80\x93 Chattanooga, TN\n\n\nRESULTS IN BRIEF\n\n      The TTC has made improvements in its implementation of NRC\xe2\x80\x99s information system\n      security program and practices for NRC automated information systems since the\n      previous evaluations in 2003 and 2006. All corrective actions from the previous\n      evaluations have been implemented. However, the information system security practices\n      are not always consistent with the NRC\xe2\x80\x99s automated information systems security\n      program as defined in Management Directive (MD) and Handbook 12.5, NRC Automated\n      Information Systems Security Program, other NRC policies, FISMA, and National\n      Institute of Standards and Technology (NIST) guidance. While many of the TTC\xe2\x80\x99s\n      automated and manual security controls are generally effective, some security controls\n      need improvement. Areas needing improvement included: physical and environmental\n      security controls, continuity of operations and emergency planning, and configuration\n      management. Specifies cannot be presented in this publically released version of the\n      report.\n\nRECOMMENDATIONS\n\n      This report makes recommendations to the Executive Director for Operations to improve\n      NRC\xe2\x80\x99s information system security program and implementation of FISMA at the TTC.\n\n\nTHE FULL REPORT CONTAINS SECURITY RELATED INFORMATION THAT IS\nNOT RELEASED TO THE PUBLIC. FOR ADDITIONAL INFORMATION, PLEASE\nCONTACT THE OFFICE OF THE INSPECTOR GENERAL AT 301-415-5915.\n\x0c'